Endpoint Security: Putting The Focus On What Matters

Five tips to help sift through the noise and focus on actions that can dramatically impact your endpoint security program.

One of the greatest challenges organizations face when it comes to endpoint security is identifying what is relevant and what actions can reduce the most amount of risk. Whether you have deployed endpoint antivirus or one of the many advanced threat detection solutions, or you are evaluating an endpoint detection and response (EDR) technology, at the end of the day, you have a limited number of resources. You must be decisive in taking action to minimize the chances of a breach and to ensure you are placing bets that will have the biggest payoff when it comes to reducing risk.

In this article, I offer some tips to help you sift through the noise and focus on actions that can dramatically improve your endpoint security program.

Tip #1: Gather Endpoint Context

Start by profiling your endpoints. Vulnerability scanners not only discover known and unknown endpoints, but also help provide context about them such as device type, installed applications, OS, and version information. Your DHCP and DNS severs are useful in identifying what to scan. Traffic-monitoring technologies that non-intrusively listen to network traffic can identify transient devices that might not be connected at the time of scanning. Also, use server logs -- from your Exchange email server or IIS server, for example -- to identify what devices connect to your environment.

Use this data to better understand the role your endpoints play, what types of services they support, and what other systems they communicate with. For example, is an endpoint a client that is accessed by a single user or a server that supports thousands of transactions such as a Web server? Is it a network infrastructure device that enables connectivity between the client and server? Is it running a current operating system or an older version that is vulnerable? Does it support critical applications?

Armed with this information, you can build appropriate scan policies and prioritize critical assets in your environment.

Tip #2: Use Vulnerability Context

Once you have a good understanding of what’s in your environment and have the context from scan results, use this information to prioritize remediation of what’s vulnerable and at risk or compromised already. Identify what vulnerabilities exist on the endpoint operating system and the applications that run on it. Use CVSS scores as a first step to help focus on the most severe vulnerabilities. CVSS scores break down vulnerabilities based on whether they are locally or remotely exploitable as well as the complexity of attack and level of access required.

Tip #3: Use Exploitability Context

At the enterprise level, there might be hundreds of critical endpoint vulnerabilities. So what can you do to make the process more manageable? As noted in the 2015 Verizon Data Breach Investigations Report, “a CVE [common vulnerability and exposure] being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.” Include multiple commercial exploit frameworks such as Canvas, Core Impact, and Exploit Hub to complete the exploitability view of your environment. Exploitable vulnerabilities should be remediated promptly since attackers leverage these as a quick path to compromise. To further refine your approach, you can include context such as whether the endpoint is Internet facing, allowing an outside attacker to compromise the vulnerability remotely.

Tip #4: Use Threat Context

Adding threat context to your vulnerability results can help further prioritize what is critical. For example, modern vulnerability scanners can detect running processes on the endpoint. By correlating running processes against multiple threat intelligence feeds, you can identify rapidly changing malware that might not be detected by an antivirus engine. When you observe a malicious process with an exploitable and critical vulnerability on the endpoint, prioritize this particular event at the top of your response.

Here are some other scenarios to prioritize:

A vulnerable endpoint that has an exploitable vulnerability that is communicating to a known command and control (C&C) server and sending data

A vulnerable endpoint that has an exploitable vulnerability that is scanning other endpoints inside the network

A vulnerable endpoint that has an exploitable vulnerability that is sending unencrypted PII data to an outside server

Tip #5: Prioritize Remediation

Once you have correlated threats and vulnerabilities, you have what you need to best prioritize your remediation efforts. Start with immediate needs and use countermeasures that you may already have. For example, if there are connections to a C&C server, prioritize response by blocking those communications with existing defenses such as a firewall or IPS.

Other types of responses include quarantining the host, blocking an application, or denying user permission to resources. It’s important to note that implementing blocking based on malware patterns may provide temporary shielding from the threat, but you may still remain susceptible to permutations of the attack so removing the vulnerability should be the next step.

Next, turn your attention to patching vulnerable hosts, focus on those that offer the biggest bang by identifying actions that reduce the most amount of risk first. Then, tackle the remaining vulnerabilities -- such as those that are most prevalent or those associated with specific asset groups that are critical to your environment. Don’t forget to independently verify your patching process by rescanning those assets and correlating the results to your patch-management system. You may find errors that prevented a patch from being applied or that your patch-management reporting is outdated.

Final Thoughts

Implementing a prioritized approach to endpoint security can help you focus on actions that can quickly reduce risk in your environment. To learn more about improving your endpoint security program, please join the Tenable Webcast titled “Four Reasons Why Endpoint Security Fails” on Nov 18th.

Manish Patel is a senior product marketing manager responsible for managing the marketing activities of Tenable's integration with leading vendors in network and endpoint security, access control, threat intelligence, and cloud applications. He is instrumental in creating ... View Full Bio

Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data.
Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so
customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and
measure attack vectors in each of these domains.
Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately.
Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.